...
Subject | Question | Response | Further Comments |
Documentation and resources |
| ||
Admin Details | Software / App Name(s) | External Share for Confluence | |
Vendor Name | Warsaw Dynamics | ||
Vendor on Marketplace | https://marketplace.atlassian.com/vendors/1220579/warsaw-dynamics | ||
Vendor Head Office | Bluszczańska 34/12 | ||
Bug Bounty Programs | Bugcrowd | Part of the initial invite-only Marketplace Apps Bugcrowd Program from Atlassian: https://developer.atlassian.com/platform/marketplace/marketplace-security-bug-bounty-program/ | |
Other programs we are part of | Cloud Fortified apps program | Atlassian Cloud Fortified Apps Program Cloud Fortified Apps is the program for a new designation of apps designed to serve our largest customers and those with more business-critical operating requirements when it comes to apps. For more information: https://developer.atlassian.com/platform/marketplace/cloud-fortified-apps-program/ Atlassian Security Self-Assessment Program The security self-assessment program is a collaboration between Atlassian and Marketplace Partners to increase security awareness and improve security practices. The goal is to increase customer confidence in apps and provide them with necessary information to perform security evaluations. The program involves an annual security self-assessment that Atlassian reviews and approves. During the review process, Atlassian works with the partner to pinpoint vulnerabilities and identify improvements. Once approved, the application expires after one year, and partners must re-apply with updated information each year. For more information: https://developer.atlassian.com/platform/marketplace/security-self-assessment-program/ | |
Development Practices | Development environment | Environments:
| |
Development process/philosophy | Agile / Kanban |
| |
Main Development Tools used |
| ||
GIT Branching strategy | GitHub Flow Methodology | ||
Automated code Reviews | Yes |
| |
Test Management Platform | Zephyr Scale | ||
Code Review | Pull Request reviewed by Senior developer | ||
Release Quality Gates |
| ||
Supply Chain Vulnerability Monitoring |
| ||
Processes & Organization | Do you follow OWASP guidelines | Yes | |
Do you have a Security Vulnerability Communication Process | Yes | ||
Is logging available to capture user access activity? | Yes |
| |
Do you allow 3rd Party audits | No | ||
Have you had 3rd Party audits | No | ||
Has your company ever had a security vulnerability? | Yes | All communicated to us by responsible disclosure and verified & fixed within hours. | |
Have you provided notification to customers affected by severe or critical vulnerabilities | Yes | ||
Do you provide "Safe harbour" to security researches evaluating you product | Yes | Using the Bug Crowd program. For more information: | |
Does your organization maintain and update an incident response policy? | Yes | ||
Has your company ever experienced a security breach involving client data? | No | ||
Was notification provided to state agencies/law enforcement authorities? | N/A | ||
Do you store customer data? | No |
| |
Do you have Disaster Recovery plan | No |
| |
App specific Questions | What data does your app submit to you (Old Street Solutions)? |
| |
Does your App transfer any data to a 3rd party? | No | ||
Where is app hosted? | OVH data-center. Warsaw, Poland. | ||
Does your App need "Internet" access? | No for External Share for Confluence Server and Data Center | ||
Can you provide a "Pen" test report for your plugin? | N/A | ||
Are we allowed to Pen test your App on our instance? | Yes (notification required) | We will allow for pen tests, however it is important that you notify us upfront, as we can get false positive reports, and those can results in functionality limitations because of our proactive reactions. | |
Do you store any User passwords? | No | External user can create account in our service. We store salted and hashed password (Argon2) | |
Where does your App store it's configuration/data? |
| ||
How do you send emails? | We use Mailgun | ||
What Security Scopes to access our Confluence or Jira, do you require for the App to function? | "ACT_AS_USER","READ","WRITE","DELETE" |